Microsoft Isn’t Worried About ‘The Collector’s’ Password Cache

Last week, the computer security industry was abuzz with the revelation that “The Collector,” a Russian Hacker, had amassed 272 million stolen log-ins, affecting major online email providers, including Yahoo,Google, Mail.ru and Microsoft’s own Hotmail. Alex Weinert, group program manager of Microsoft’s Identity Protection team, took to the company’s blog to reveal the impact of the seemingly major breach on the company’s user base—in short, not much. Less than 10 percent of the usernames on The Collector’s list matched an account on Microsoft’s systems, Weinert said. Of those, 1.03 percent had the proper corresponding password, meaning that less than 0.1 percent of the list had a correct username-password match for a Microsoft account. From there, the risk to Microsoft’s users kept shrinking.

“But remember, our machine-learning systems and algorithms find and automatically protect most compromised credentials before any disclosure. In this case, we had already protected 58.3 percent of that 0.1 percent because we had already caught an invalid access attempt or other suspicious activity,” Weinert explained.

All told, a mere 0.042 percent of the stolen credentials on The Collector’s list were at risk. Affected consumer accounts have been flagged by Microsoft so that the next time their users log in, they will be asked to verify their identities and change their passwords. Most stolen password lists are compiled from Websites with weak encryption or ones that store their passwords in plain text, according to Weinert, suggesting that the Hotmail credentials weren’t plucked directly from Microsoft’s systems.

Phishing and malware also play a role, and password reuse exacerbates the problem by compromising the accounts of other providers that users are likely to patronize. Log-in credentials are often the weakest link both personal and enterprise data security. Phishers, for example, spam individual and corporate email accounts in the hopes that users will open malicious attachments or click on links to fraudulent sites that collect passwords. A recent report from Verizon revealed that users open up 30 percent of phishing messages (a 7 percent increase since 2015), and 13 percent of them click on phony links or open dangerous attachments.

To help combat this in the enterprise, where a single set of stolen credentials can help a hacker establish a firm foothold on a corporate network, Microsoft has been building up its cloud- and machine-learning-based defenses. Last year, Microsoft announced a new option for Azure Active Directory (AD) Premium customers that alerts administrators when their users’ credentials have leaked by culling and analyzing data from publicly disclosed password lists. In March, the company announced a public beta of its Azure AD Identity Protection product. Using machine-learning-based detection and automated mitigation technologies, the service intercepts suspicious log-in attempts and blocks access if necessary. Each authentication request generates a risk score. Based on that score, administrators can configure Azure AD Identity Protection to deny access, require that users change their passwords or pose a multifactor authentication challenge.